The EU Council, representing the 27 member states, is moving towards slashing critical products and curtailing the discretion of the European Commission in the new cybersecurity law, according to a new text seen by EURACTIV.

Since the Swedish presidency of the EU Council of Ministers took over the file in January, it has presented three partial compromises on the proposal to introduce basic security requirements for products with digital elements.

The Swedes reworked the entire text using the Easter break, consolidating previous changes and introducing new ones. The new compromise, dated 20 April, will be discussed at the Horizontal Working Party on Cyber Issues on 26 April.

Critical products

The Cyber Resilience Act introduces horizontal obligations for all connected devices. However, whilst a self-assessment will suffice for most products, products considered ‘critical’ will need to undergo external audits.

Critical products are divided into two tiers, based on specific categories listed in the regulation’s annexe. There are two criteria to qualify critical products.

The first criterion concerns whether the product has “a cybersecurity-related functionality, and in particular performs primarily functions critical to security, including securing authentication and access, intrusion prevention and detection, endpoint security or network protection.”

Under Class I, the product categories meeting this criterion have been amended to remove network traffic monitoring systems, whilst wearable technologies and connected products meant to be used by or for children, like smart toys and baby monitors, have been added.

The second criterion relates to whether the product performs a central system function, such as network management, configuration control, virtualisation, personal data processing, or any function that can disrupt many connected devices.

The Class I product categories under this second criterion have been even more significantly amended. Operating systems, web browsers, microcontrollers, industrial automation, and control systems have all been removed.

For the second and higher class, products following specific categories must meet both criteria to qualify.

Class II product categories have been modified, removing microprocessors, industrial automation systems and a broad category covering any connected device used by entities qualified as essential under the revised Networks and Information Security Directive (NIS2).

EU Council reconsiders critical products in new cybersecurity law

The Swedish presidency of the EU Council of ministers shared a new compromise text with hefty changes on the categorisation of critical and highly critical products under the Cyber Resilience Act.

Essential requirements

The Swedish EU Council presidency added two additional essential requirements.

First, every connected device should have a unique product identifier to allow its identification. This identifier should be mentioned during the rollout of security patches so that the applicability of the update can be easily determined.

Second, the text requires the manufacturers to empower users to securely and easily remove all data and settings, including those enabling access to Wi-Fi networks, from the product to dispose of it securely.

The text now states that if an essential requirement does not apply to a particular product, perhaps because it may be incompatible with its very nature, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentation.

This risk assessment should “comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the specific conditions of use.”

Standardisation & certification

The Cyber Resilience Act provides for issuing technical standards that help manufacturers assume their connected product complies with the regulation.

The industry drives the standardisation process. Still, if the Commission considers that the resulting standard strives too much from the intent of the regulation or no standard is provided by the set deadline, the EU executive can issue common specifications instead.

But as delays with European standards have become increasingly common, the Council introduced wording cautioning the Commission against issuing common specifications if the delay is due to technical complexities.

Requirements have also been added to reduce the Commission’s discretion, notably by mandating the EU executive to consult with national representatives, experts and relevant stakeholders.

The EU Council also introduced the possibility for a member state to contest the common speciation if it does not entirely satisfy the regulation’s requirements.

The Commission’s discretion has also been narrowed regarding cybersecurity certification schemes, as the text now mandates the levels of assurance ‘substantial’ or ‘high’.

EU Council extends product lifetime, clarifies scope in cybersecurity law

A new Council text on the Cyber Resilience Act, seen by EURACTIV, removes the five-year limit to the product lifecycle, clarifies the regulation’s scope and makes automatic security updates the default option for connected devices.

Security updates

In a previous compromise, the Council introduced the principle that products’ default settings should be that security updates are rolled out automatically, allowing users to opt out.

The compromise clarifies that this requirement does not apply to products primarily intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updates, like an industrial setting where the update could interfere with the operations.

Notification mechanism

The initial proposal mandated manufacturers to notify ENISA, the EU cybersecurity agency, about eventual incidents or actively exploited vulnerabilities. The member states moved this reporting to the national Computer Security Incident Response Team.

In case of incidents, the manufacturers would have to inform the users about possible corrective measures in a standardised, structured and easily automatically processible machine-readable format.

EU Council moves to adjust product lifecycle, reporting in new cybersecurity law

This article was updated with a reference to the Council compromise’s changes related to known vulnerabilities.

EU countries are considering adjusting the definition of product lifecycle to the specificity of the product and moving the reporting of vulnerabilities at the national …

Additional national measures

The new cybersecurity law is meant to harmonise requirements for connected devices in the EU market. However, the text indicates that national governments can impose additional security requirements for ICT products used by entities that qualify as essential or important under NIS2.

More on the same topic...

Commission announces first platforms to fall under EU digital rulebook’s stricter regime